In the DSM Editor, the event mapping shows all the event ID and category combinations that are in the system.
An event mapping represents an association between an event ID and category combination and a QID record (referred to as event categorization). Event ID and category values are extracted by DSMs from events and are then used to look up the mapped event categorization or QID. Event categorizations store extra metadata for the event that might not exist verbatim in the raw event data, such as a human-readable name and description, a severity value, or a low level category assignment. Low-level categorization and severity are useful for search and rule definitions.
For multi-tenant environments, any user-defined mapping or event categorization information that is defined in the DSM Editor becomes visible across all tenants. You must ensure that no tenant-specific data is put in any event categorization names or descriptions.
Identity Properties for Event Mappings
Identity data is a special set of system properties that includes Identity Username, Identity IP, Identity NetBIOS Name, Identity Extended Field, Identity Host Name, Identity MAC, Identity Group Name.
When identity properties are populated by a DSM, the identity data is forwarded to the asset profiler service that runs on the JSA console. The asset profiler is used to update the asset model, either by adding new assets or by updating the information on existing assets, including the Last User and User Last Seen asset fields when an Identity Username is provided.
JSA DSMs can populate identity data for certain events, such as those that establish an association or disassociation between identity properties. This association or disassociation is for performance and also for certain events that provide new or useful information that is needed for asset updates. For example, a login event establishes a new association between a user name and an asset (an IP address, a MAC address, or a host name, or a combination of them). The DSM generates identity data for any login events that it parses, but subsequent events of different types that involve the same user, provide no new association information. Therefore, the DSM does not generate identity for other event types.
Also, the DSMs for DHCP services can generate identity data for DHCP assigned events because these events establish an association between an IP address and a MAC address. DSMs for DNS services generate identity information for events that represents DNS lookups because these events establish an association between an IP address and a host name or DNS name.
You can configure the DSM Editor to override the behavior of the identity properties. However, unlike other system properties, overridden identity property has no effect unless it is linked to specific Event ID or Event Category combinations (event mappings). When identity property overrides are configured, you can go to the Event Mappings tab and select an event mapping to configure specific identity properties for that event. Only identity properties that are available and captured by the configured property regex are populated for an event.
The Identity Username property is unique and cannot be independently configured. If any identity properties are enabled for a particular event mapping, then the Identity Username property is automatically populated for the event from the available Username property value.
Creating an Event Map and Categorization
An event mapping is an event ID and category combination you use to map an event to a QID. With the DSM Editor, you can create a new event mapping to map all unknown events to an entry in the QID map. Also, you can remap existing ones to either a newly created event categorization (QIDs) or to an existing one in the system.
- To add an event mapping, click the Add (+) icon on the Event Mapping tab of DSM Editor.
- Ensure that values are entered for the Event ID and Event Category fields.
- To create a new event categorization, use the following
From the Create a new Event Mapping window, click Choose QID.
On the QID Records window, click Create New QID Record.
Enter values for the Name, Description fields, and select a Log Source Type, a High Level Category, a Low Level Category, and a Severity.
Click Save to create the new event categorization.
- To use an existing event categorization, use the following
From the Create a new Event Mapping window, click Choose Event.
Search for an existing event categorization on the Event Categorizations window.
Select a High Level category, Low Level category, Log Source Type or QID. Results are shown in the Search Results pane.
Click Ok to add the event category.